Jun 23, 2011

Upgrade to Firefox 5 to get patches, says company, but add-on compatibility issues may make some users hesitate Firefox 5 was Mozilla's decision to retire Firefox 4, the browser it shipped just three months ago. As part of Tuesday's Firefox 5 release, Mozilla spelled out vulnerabilities it had patched in that edition and in 2010's Firefox 3.6, but it made no mention of any bugs fixed in Firefox 4.

That's because Firefox 4 has reached what Mozilla calls EOL, for "end of life," for vulnerability patches. Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 with security updates has been discussed by Mozilla's developers and managers for weeks.

A mozilla.dev.planning mailing list thread that started May 17 evolved into a back-and-forth about the rapid-release schedule and its impact on Firefox 4. Christian Legnitto, the Firefox release manager, put it most succinctly in a May 25 message. "Firefox 5 will be the security update for Firefox 4," Legnitto said. As Mozilla had said earlier, that means Firefox 4.0.1 -- shipped in late April to fix eight flaws -- was the one and only security update for Firefox 4.

Mozilla is essentially taking another page from Google Chrome's playbook. Google only outlines the patches it has applied to the current "stable" build, the most polished form of Chrome that is analogous to Mozilla's final releases. Google does not patch the flaws in earlier editions, primarily because it automatically updates the browser in the background, ensuing that virtually all users are running the most secure version.

Mozilla doesn't yet conduct automatic updates, but it has changed how upgrades to a new version are offered to Firefox users. "[For earlier major upgrades] we popped up a window asking people to opt in (major update offer)," said Legnitto in another message on the same thread. "For 4.0.1, users will need to opt out (minor update offer, like point/security releases)." Mozilla expects the opt-out approach will get more users onto the newest edition faster.

On Tuesday, Firefox 4 users started seeing the upgrade offer for Firefox 5 when a pop-up appeared reading: "A security and stability update for Firefox is available. It is strongly suggested that you apply this update for Firefox as soon as possible."In the offer, the default action was "Update Firefox." Only by clicking the "Ask Later" button or by closing the pop-up can users decline the upgrade. But some Firefox 4 users may want to opt out of the upgrade, even though that leaves them at risk to exploits of already patched bugs. One traditional area of concern is add-on compatibility, a pain point known to longtime Firefox users when they've moved from one version number to the next.

Mozilla has retired Firefox 4 from security support, and is prompting users to upgrade to the new Firefox 5.